CASSJAVA-80: Support configuration to disable DNS reverse-lookups for SAN validation#2018
Conversation
aratno
force-pushed
the
CASSJAVA-80-ssl-dns-san
branch
5 times, most recently
from
2c6c0f9 to
c8e5b56
Compare
frankgh
left a comment
frankgh
left a comment
There was a problem hiding this comment.
Looks good in general. Do we need to do the same for ProgrammaticSslEngineFactory and SniSslEngineFactory?
aratno
force-pushed
the
CASSJAVA-80-ssl-dns-san
branch
from
c8e5b56 to
2d83d21
Compare
Definitely see the value in doing it for the Programmatic one (I see you already covered that, thanks!), for SNI I think there is less utility as you are likely using a DNS name with the IP of the node to target in the SNI, but I think we might as well add it though just in the event that someone is using a literal IP address for the primary endpoint for tunneling through SNI. |
tolbertam
left a comment
tolbertam
left a comment
There was a problem hiding this comment.
👍 looks great; If you don't mind also adding this for the SNI factory for completeness that'd be good, but i'm +1 either way.
| this(sslContext, true); | ||
| } | ||
|
|
||
| public SniSslEngineFactory(SSLContext sslContext, boolean allowDnsReverseLookupSan) { |
There was a problem hiding this comment.
Didn't dawn on me at the time that SniSslEngineFactory does not access DriverContext so we can't make use of it unless programatically (outside of CloudConfigFactory), but I suppose if someone wants to use it separately, they can programmatically and in which case this adds some functionality 👍
… SAN validation patch by Abe Ratnofsky; reviewed by Alexandre Dutra, Andy Tolbert, and Francisco Guerrero for CASSJAVA-80
aratno
force-pushed
the
CASSJAVA-80-ssl-dns-san
branch
from
5f8fe8a to
b3b9cf1
Compare
… SAN validation Upstream PR: apache#2018 Cherry-picked from: 3bb5b18, 7982f41
4 participants
No description provided.